DS – Datakrop Solutions
Data Subjects – A natural person whose personal data is processed by DS, or third parties contracted by DS.
Controller – Datakrop Solutions
Processor – Governance, Risk, and Compliance Manager (GRCO).
Third Country – Any country outside India.
Vendor – Vendors contracted by DS.
Rights of Data Subjects
In alignment with the applicable regulations, DS shall provide data subjects with certain access rights with respect to their personal data.
Those rights are summarized below:
Basic Information – the right to understand about the organization and how a data subject’s personal data is processed.
Access Rights – the right to request a summary of the data subject’s personal data that is processed by DS, along with a copy of such personal data.
Portability – the right to request DS to provide a copy of data subject’s personal data in a machine-readable form for transportation to another party, if applicable.
Rectification – the right to request to correct errors or update a data subject’s personal data.
Erasure – the right to request the erasure of personal data in possession of DS, if not required by DS.
Restriction on Use – the right to request to stop processing a data subject’s personal data.
Objection to Use – the right to object the assertion that DS has a legitimate interest in processing a data subject’s personal data. This also includes automatic processing of personal data.
Requests received from the Data Subjects shall be maintained by GRCO.
Fair and Lawful Processing of Personal Data and Special Categories of Personal Data
DS shall ensure that the personal data is processed fairly and lawfully and that the legal grounds for the processing of your personal data have been clearly identified prior to processing. While collecting and processing the personal data of data subjects:
DS shall collect and process personal data when one of the following applies:
The Data Subject has explicitly consented for the processing of his or her personal data for one or more specific purposes.
Processing is necessary for the performance of a contract to which Data Subject is a party to or to take steps at his or her request prior to entering a contract.
Processing is necessary in accordance with the applicable laws.
Processing is necessary to protect the vital interests of Data Subject or of another natural person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Processing is necessary for the purposes of the legitimate interests pursued by DS or by a third-party vendor.
DS shall/may provide Data Subject with following additional information if personal data was collected indirectly:
Source from which the personal data was collected.
Notification to Data Subject shall be provided latest within a month of obtaining the data.
At the time of first communication with Data Subject.
In case of disclosure to another recipient is envisaged, at the latest when the personal data is first disclosed.
Where the personal data is collected for marketing purposes or might be used in the future for marketing purposes, DS shall ensure that how an individual can object to such marketing is clearly explained to that individual.
DS shall ensure that the personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Grounds for Processing:
DS shall ensure that the processing of personal data is not carried out in a way which breaches or potentially breaches any legal and regulatory obligations, including statutory provisions, applicable laws, or contractual terms.
DS shall ensure that the personal data or special categories of personal data that are collected for specified, explicit and legitimate purposes is not used for another incompatible purpose, unless there is a relevant exemption from the legislation which applies.
DS shall ensure that, where personal data is to be used for a new purpose, the consent of Data Subject is obtained prior to processing, unless a relevant exemption applies.
DS shall make all possible efforts to ensure the accuracy of personal data, as provided by Data Subject and where necessary, take all possible steps to keep it up to date.
Every reasonable step shall be taken by DS to ensure that the personal data that is inaccurate with regard to the purposes for which they are processed, are erased, or rectified without delay.
DS shall make all possible and available efforts to ensure that the personal data is protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage by the implementation of appropriate technical or organizational security measures.
DS shall specify security controls as appropriate:
DS shall implement appropriate technical and organizational measures which are designed to implement data privacy principles in an effective manner and to integrate the necessary safeguards into processing such as:
Encryption/pseudonymization of personal data and special categories of personal data.
The ability to ensure ongoing confidentiality, integrity, availability, and resiliency of the processing systems.
The ability to restore the availability and access to personal data in a timely manner in the event of a data privacy incident and personal data breach.
Process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Data Management Policy
Data Retention Period Protocols
Data processed, stored, collected, or accessed by DS is retained, stored, and erased in line with applicable laws. It may be archived as long as we believe that the purpose for which it was used still exists or as necessary for our legitimate business interests or for complying with legal obligations or for a period as mentioned in the applicable laws.
Suspension of Record Disposal for Litigation or Claims
DS shall analyse the “Right to Erasure” request in the context of legal and regulatory obligations of organization and effect on the rights of freedom of other data subjects and conclude the feasibility of the request.
Retention, Destruction, and Disposal of records
DS shall archive all data as per the regulatory and compliance laws which are not to be deleted upon expiration.
Wherever applicable, DS shall destroy data when the use of data is no longer necessary for the purposes of processing and as per applicable data retention laws and destroy the data when the data subject withdraws consent on which the processing is based and where there is no other legal or regulatory ground for the processing or retaining the data.
Third Party Data Transfer
DS will share your personal information with third parties in accordance with the third-party data transfer policy. We do not sell your personal information to third parties.
Transfers Subject to Appropriate Safeguards
In the absence of an adequacy decision, DS shall take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject.
Adequate safeguards may be provided by:
Binding corporate rules (agreements governing transfers made between organizations within a group).
Standard data protection clauses adopted by the applicable authorities and regulators pursuant with the examination procedure stated in the applicable laws.
Compliance with an approved code of conduct approved by the applicable authorities and regulators (including supervisory authority).
Contractual clauses authorized by the competent authorities and regulators (including supervisory authority).
DS does not engage in the collection, processing, storage, use, dissemination, and transfer of personal data of children. If a child, the age of 13 has provided us with the personal information online such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. In the event DS becomes aware that the User is a minor or below the legal age to consent in the jurisdiction concerned, DS reserves its right to terminate all services to such User/ Account without any prior notice.
Data Privacy and Incident Breach
DS has defined appropriate escalation and communication procedures to report data privacy incidents and personal data breaches.
Data privacy incidents and personal data breaches shall be reported immediately to the Governance Risk and Compliance Officer (referred to as “GRCO”) at email@example.com. The report shall include full and accurate details of the data privacy incident or personal data breach.
Upon receiving the security incident breach, GRCO shall without any delay and, where feasible, not later than 72 hours after having become aware of data privacy incident or personal data breach, notify the applicable regulators and authorities, including supervisory authority, unless the personal data breach or data privacy incident is unlikely to result in a risk to the rights and freedom of data subjects.
Communication to the data subject by GRCO shall describe in clear and plain language following mentioned information but not limited to:
Nature of data privacy incident or personal data breach.
Name and contact details of GRCO or other contact point where more information can be obtained.
Describe the likely consequences of the data privacy incident or personal data breach.
Describe the measures taken or proposed to be taken by DS to address the data privacy incident or personal data breach, including, measures to mitigate its possible adverse effects.
Data Subject Rights
Right To Be Informed
DS shall provide following mentioned information to Data Subject when collecting the personal data related to Data Subject. :
The identity and the contact details of the organization and, where applicable, of the organization’s representative.
The contact details of the GRC officer, where applicable.
The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
The legitimate interests pursued by the controller or by a third party.
The recipients or categories of recipients of the personal data, if any.
Where applicable, the fact that the organization intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy.
The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
The existence of the right to request from the organization the rectification or erasure of personal data or restriction of processing concerning Data Subject or to object to the processing as well as the right to data portability.
The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
The right to lodge a complaint with a supervisory authority.
Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
The existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
From which source the personal data originated, and if applicable, whether it came from publicly accessible sources where personal data have not been obtained from Data Subject.
The organization shall provide information on action taken on your request without undue delay and in any event within one month of receipt of the request, for the following rights:
Right to Access
The organization shall provide following mentioned rights to Data Subject:
Data Subject shall have the right to obtain from the organization confirmation as to whether the personal data concerning him or her is being processed.
Data Subject shall have the right of access to personal data which has been collected concerning him or her, and to exercise that right easily and at reasonable intervals, to be aware of, and verify, the lawfulness of the processing and the following information:
The purposes for which the personal data is processed and where possible the period for which the personal data is processed.
The categories of the personal data concerned.
The recipients or categories of recipient to whom the personal data have been or will be disclosed, recipients in third countries or international organizations.
Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
The existence of the right to request from the organization the rectification or erasure of personal data or restriction of processing personal data concerning the data subject or to object to such processing.
The right to lodge a complaint with a Supervisory Authority/Commissioner.
Where the personal data is not collected from Data Subject, any available information as to their source.
The existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the consequences of such processing for Data Subject.
The organization shall use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. The organization shall not retain personal data for the sole purpose of being able to react to potential requests.
Right to Rectification
The organization shall provide following mentioned data rectification rights to Data Subject:
Data Subject shall have the right to obtain from the organization without undue delay the rectification of inaccurate personal data concerning him or her.
Considering the purposes of the processing, Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to Erasure (‘Right to be Forgotten’)
The organization shall provide following mentioned data erasure rights to Data Subject:
Data Subject shall have the right to have your personal data erased and no longer processed without undue delay where:
The personal data is no longer necessary in relation to the purposes for which it is collected or otherwise processed.
Data Subject has withdrawn his or her consent and where there is no other legal ground for processing.
Data Subject objects to the processing of personal data concerning him or her.
The processing of your personal data does not otherwise comply with the applicable regulations.
The organization has made the personal data public and is obliged to erase the personal data including any links or copy or replication of the personal data.
The personal data must be erased for compliance with a legal obligation to which the organization is subject.
The right to erasure shall not apply to the extent that processing is necessary for following mentioned scenarios:
For exercising the right of freedom of expression and information.
For compliance with legal obligation to which the organization is subject or for the performance of a task carried out in the public interest or in exercise of official authority vested in the organization.
For public interest in the area of public health.
For archiving purposes in the public interest, scientific or historical research purposes.
For the establishment, exercise, or defense of legal claims.
Right to Restriction of Processing
- Data Subject shall have the right to obtain from the organization restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by Data Subject, for a period enabling the organization to verify the accuracy of the personal data.
- The processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The organization no longer needs the personal data for the purposes of processing, but it is required by Data Subject for the establishment, exercise, or defense of legal claims.
- The Data Subject has objected to processing pursuant as mentioned below.
- If the Data Subject has obtained restriction of processing, it shall be informed by the controller before the restriction of processing is lifted.
- The restricted processing of personal data shall only be processed with your consent or for the establishment, exercise, or defense of legal claims or for protection of the rights of another natural or legal person or for public interest reasons.
The organization, on the request of data subject, shall provide the list of recipients to whom personal data has been disclosed.
Right to Data Portability
- The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the organization, in a structured, commonly used, machine-readable and interoperable format.
- Data Subject shall have the right to have the personal data transmitted directly from one organization to another, where technically feasible.
- That right shall be strictly limited to your personal data.
Right to Object
- The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on lawful processing. The organization shall no longer process the personal data unless the organization have compelling legitimate grounds for the processing which override the interests, rights, and freedom of the data subject or for the establishment, exercise, or defense of legal claims.
- Where personal data is processed for direct marketing purposes, Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
- Data Subject may exercise his or her right to object by automated means using technical specifications.
Your Right Regarding Not to be Subject to a Decision Based Solely on Automated Processing.
- Data Subject shall have the right not to be subject to a decision which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing, and which produces legal effects concerning him or her or similarly significantly affects him or her, such as e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyze or predict aspects concerning your performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location, or movements, where it produces legal effects concerning Data Subject or similarly significantly affects Data Subject.
- In order to ensure fair and transparent processing in respect to Data Subject, taking into account the specific circumstances and context in which the personal data is processed, the organization shall use appropriate mathematical or statistical procedures for the profiling, implement technical and organizational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimized, secure personal data in a manner that takes account of the potential risks involved for your interests and rights .
- Automated decision-making and profiling based on special categories of personal data shall be allowed only under specific conditions.
- The GRCO shall take an action as requested by Data Subject and shall provide the response to Data Subject, without undue delay.